Aussies get spooky cloud creds
Dan Tehan: Pressing ahead with Aussie cloud security expertise
Two local tech companies have been certified to store classified government data on their services as the federal government continues its move to cloud storage.
Canberra-based companies Vault Systems and Sliced Tech, both cloud storage providers, have been awarded protection level certification by the Australian Signals Directorate, meaning government agencies can securely store “protected” data on their cloud services.
Vault Systems and Sliced Tech were previously added to the Certified Cloud Services List with a lower protected rating in September 2015.
This the first time that an Australian company has been awarded this highest level of certification.
Macquarie Telecom has also been awarded certification for a lower level of protection for “unclassified DLM”, along with four multinationals: AWS, IBM, Microsoft and Salesforce.
The ASD defines protected data as information that is “highly sensitive”, while unclassified DLM is “sensitive” data such as that marked as “for official use only”.
The successful assessment of two home grown firms demonstrates Australia’s ability to lead the world on cyber security, according to the Minister Assisting the Prime Minister for Cyber Security Dan Tehan.
“We talk a lot about the importance of strong cyber security to protect personal information, money and critical infrastructure. This decision will allow the government more options to use cloud storage in a secure manner and in line with government policies,” Mr Tehan said in a statement.
Vault Systems is a wholesaler provider of cloud services that has partnered with Accenture and Fujitsu on end-delivery service for government agencies. Its founder and CEO Rupert Taylor-Price said this is a big moment for the company.
“We are delighted that an Australian company is the first to achieve this status. After six years of hard work building a government cloud which is located in Sydney and Canberra it is great that we can now store and manage classified data and systems on shore,” Mr Taylor-Price said.
The Australian Government recently began a push for departments and agencies to procure cloud-based solutions providers after establishing a Cloud Services Panel in January 2015. In May 2015 the first cloud service protection certificate was awarded to Macquarie Telecom.
Assistant Minister for Digital Transformation Angus Taylor said moving government services to the cloud is a 'key goal'.
“We are determined to have more small to medium sized Australian businesses as vendors to government. Ultimately we want to see a competitive, robust and fast-growing digital government sector in Australia and this is a great step in that direction,” Mr Taylor said in a statement.
To assess a company for certification, the ASD “broadly” uses the United States National Institute of Standards and Technology’s definition of cloud computing.
A provider must request an assessment, with an authorised Information Security Registered Assessors Program individual then completing a three-month audit.
This audit begins with the identification of security deficiencies which the system owner then rectifies or mitigates, followed by an audit to assess residual compliance.
At the completion of an assessment, the tech company receives a certification letter and report that it must then provide to government agencies when they are procuring services.
The ASD has said that other cloud providers are currently going through this certification process.
It comes after the ASD refreshed its baseline security procedures for the first time in three years last month, advising all Australian businesses to disable Flash and install ad blockers.
Federal Parliament also recently passed mandatory data breach notification rules requiring all agencies and organisations governed under the Privacy Act to inform the Australian Information Commissioner and impacted individuals following a data breach.